GAO-05-712 Information Security: Progress Made, but Federal Aviation Administration Needs to Improve Controls over Air Traffic Control Systems

In support of its mission, the Federal Aviation Administration (FAA) relies on the national airspace system (NAS) -- one of the nation's critical infrastructures -- which is comprised of air traffic control systems, procedures, facilities, aircraft, and people who operate and maintain them. Given the critical role of the NAS and the increasing connectivity of FAA's systems, it is essential that the agency implement effective information security controls to protect its air traffic control systems from internal and external threats. This report evaluated the extent to which FAA has effectively implemented information security controls to protect its air traffic control systems. Includes recommendations. Figure. This is a print on demand report.

In support of its mission, FAA relies on the NAS-one of the nation's critical infrastructures-which is comprised of air traffic control systems, procedures, facilities, aircraft, and people who operate and maintain them. Given the critical role of the NAS and the increasing connectivity of FAA's systems, it is essential that the agency implement effective information security controls to protect its air traffic control systems from internal and external threats. GAO was asked to review FAA's information security program. Specifically, the objective of this review was to evaluate the extent to which FAA had effectively implemented information security controls to protect its air traffic control systems. To do this, GAO reviewed FAA policies, procedures, and practices and compared them to the relevant federal law and guidance; assessed the implementation of security controls over FAA systems; and interviewed officials. This is a public version of a report containing sensitive security information. Information deemed sensitive has been redacted.

Weaknesses in information security (IS) in the fed. gov¿t. are a problem with potentially devastating consequences -- such as intrusions by malicious users, compromised networks, & the theft of personally identifiable info; it is a high-risk issue. Concerned by reports of significant vulnerabilities in fed. computer systems, Congress passed the Fed. Info. Security Mgmt. Act of 2002 (FISMA), which authorized & strengthened the IS program, eval¿n., & reporting require. for fed. agencies. This testimony discusses security incidents reported at fed. agencies, the continued weaknesses in IS controls at major fed. agencies, agencies¿ progress in performing key control activities, & oppor. to enhance FISMA reporting & independent evaluations. Tables.

"While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses." --

While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses. The objective of this book is to evaluate the extent to which FAA has effectively implemented information security controls to protect its air traffic control systems. This book also identifies the cybersecurity challenges facing FAA as it shifts to the NextGen ATC system and how FAA has begun addressing those challenges; and assesses the extent to which FAA and its contractors, in the acquisition of NextGen programs, have followed federal guidelines for incorporating cybersecurity controls.